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SECURITY IN TELECOMMUNICATIONS NETWORK GATEWAYS 



TH^Irl of thr> Tmrpnfirm 

4 

The present invention relates to security in 
telecommunications networks and in particular to a 
method and apparatus for preventing one Internet Access 
8 Provider from interfering with telephone circuits 
allocated to another Internet Access Provider by a 
common telecommunications network operator. 

12 Background to the, Invention 

At the present time, in order to access the Internet, a 
user typically has to make a connection (possibly via a 

16 modem) to a local telephone exchange of a telecom 
operator. The exchange then sets-up a circuit switched 
connection between the user and an input device of an 
Internet Service Provider (ISP) identified by a 

20 telephone number (B-number) dialled by the. user. In 
some cases, the connection may be routed via one or more 
intermediate exchanges. In either case, the telephone 
network treats the connection as . it would any normal 

24 telephone -to- telephone connection, i.e. it is not aware 
that the connection serves as an Internet access 
connection. 

28 The European Telecommunications Standards Institute 
(ETSI) has recently established a project under the 
acronym TIPHON (Telecommunications and Internet Protocol 
Harmonisation Over Networks) to support the market for 

32 voice communication and related voiceband communication 
(e.g. facsimile) between users connected to both circuit 
switched networks and IP based networks. As part of 
TIPHON, it has been proposed to more closely integrate 

36 the ISPs into the telecommunications networks and in 
particular to provide for the exchange of signalling 
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information between ISPs and the exchanges of 
telecommunications networks, for the purpose of setting 
up and managing the circuit switched connections between 
4 exchanges and the input devices of the ISPs. 

The current TIPHON proposal provides for a signalling 
gateway which acts as the interface between the 

8 signalling network of the telecom operator and the ISP. 
It is expected that the signalling network of the 
telecom operator will typically be a Signalling System 
No^7 (SS7) network which carries messages of the ISDN 

12 User Part (ISUP) protocol, whilst communications between 
the signalling gateway and the ISP are expected to be 
carried over an IP network. One of the roles of the 
signalling gateway is therefore to seamlessly relay ISUP 

16 messages from the Time Division Multiple Access (TDMA) 
SS7 network to the ISP over the packet switched IP 
network, and vice versa. The signalling gateway is 
generally referred to as an SS7/IP gateway. 

20 

It is likely that the SS7/IP gateways will be under the 
control of the telecom network operator, and that a 
single gateway may provide a signalling interface to the 
24 telecom network for a plurality of independently 
operated ISPs. 

Summary of t-ho PrPRPnf Tnwnhinn 

28 

The inventors of the present invention have discovered 
that under the current TIPHON proposals it is possible 
for an ISP connected to an SS7/IP gateway to interfere 
32 with the control of another ISP, and in particular with 
circuits allocated to that other ISP, connected to the 
same SS7/IP gateway. 
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It is therefore an object of the present invention to 
overcome or at least mitigate this problem of fraudulent 
(or accidental) cross-ISP interference. 

4 

This and other objects are achieved by including 
functionality in the SS7/IP gateway for authenticating 
signalling messages received from ISPs connected thereto 
8 on the basis of the message content and the origins of 
the messages. 

According to a first aspect of the present invention 

12 . there is provided a method of transferring signalling 
messages between an Internet Service Provider (ISP) and 
an exchange of a telecommunications network for the 
purpose of allocating and controlling circuit switched 

16 communication channels between the exchange and the ISP, 
the method comprising: 

routing said signalling messages via a signalling 
gateway which provides for conversion of messages 

20 between a first transmission protocol used in the 
telecommunications network and a second transmission 
protocol used in the network which connects the 
signalling gateway to the ISP; and 

24 for each message received at the signalling gateway 

from the ISP, confirming the right of that ISP to 
control a circuit switched communication channel 
identified in the message. 

28 

By authenticating signalling messages received at the 
signalling gateway from the ISP, the signalling gateway 
is able to prevent fraudulent messages from being passed 
32 from the ISP to the exchange which might otherwise 
interfere with those circuits allocated by the exchange 
to another ISP. 
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Preferably, a record is maintained at the signalling 
gateway, of the circuit switched communication channels 
allocated to each ISP coupled to the signalling gateway. . 

4 

Preferably, the telecommunication network comprises a 
Signalling System No. 7 (SS7) based signalling network 
which is interfaced to the ISP via the signalling 
8 gateway. More preferably, the network coupling the 
signalling gateway to the ISP is an IP based network, 
such that the signalling gateway provides a conversion 
between at least the Message Transfer Part protocols 
12 (i.e. said first transmission protocol) of the SS7 
network and the IP based protocols. This arrangement 
allows ISUP messages to be transferred, transparently, 
between the exchange and the ISP. 

16 

In certain embodiments of the invention, the ISP from 
which a signalling message originates is identified at 
the signalling gateway by virtue of the source IP 

20 address associated with the IP datagram in which the . 
message is delivered to the gateway. Typically, each 
ISP coupled to the signalling gateway is allocated a 
unique IP address. The signalling gateway maintains a 

24 record of those circuits which are allocated to a given 
ISP/IP address. 

In other embodiments of the invention, each of the ISPs 
28 connected to a given signalling gateway is allocated a 
unique Point Code in the signalling network of the 
telecommunications network, Point Codes being included 
in the header of a signalling message to indicate the 
32 destination and source of the message. The signalling 
gateway screens messages received from an ISP to confirm 
that the source Point Codes contained therein correspond 
to the actual ISPs from which they originated. Again, 
36 the originating ISP for a message may be identified on 
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the basis of the source IP address of the message 
containing datagram. 

4 In other embodiments of the invention, the ISP from 
which a signalling message originates is identified by 
virtue of the input port/device of the signalling 
gateway at which the message. Thus input port/device 

8 identity may be used as an alternative to the source ISP 
IP address. 

According to a second aspect of the present invention 

12 s there is provided apparatus for transferring signalling 
messages between an Internet Service Provider (ISP) and 
an exchange of a telecommunications network for the 
purpose of allocating and controlling circuit switched 

16 communication channels between the exchange and the ISP, 
the apparatus comprising a signalling gateway coupled 
between a signalling network of a telecommunications 
.network and a network connected to an Internet Service 

20 Provider (ISP) and arranged to: 

convert messages between a first transmission 
protocol used in the telecommunications network and a 
second transmission protocol used in the network which 

24 connects the signalling gateway to the ISP; and 

for each message received at the signalling 
gateway from the ISP, to confirm the right of that ISP 
to control a circuit switched communication channel 

28 identified in the message. 

32 For a better understanding of the present invention and 
in order to show how the same may be carried into effect 
reference will now be made, by way of example, to the 
accompanying drawings, in which: 
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Figure l shows a signalling gateway coupling a 
signalling network of a telecommunications network to a 
number of. ISPs; 

4 Figure 2 illustrates schematically the protocol 

stacks implemented at the signalling gateway of Figure 
1; and 

Figure 3 is a flow diagram illustrating the method 
8 of operation of the signalling gateway of the network of 
Figure 1. 

Detail PH DpgrHpt-inn nf Porh^ n PmhnHimonfc 

12 

In Figure 1 there is illustrated a subscriber telephone 
1 connected to a local access exchange 2 of a telephone 
network. This network is assumed to be a conventional 

16 network employing PSTN, ISDN, or certain other known 
communication protocols. Within the network, circuit 
switched channels over which voice or data may be 
transmitted are set up and controlled using a Signalling 

20 System No. 7 based signalling network (e.g. CCITT No. 7) . 
More particularly, inter- exchange signalling messages 
carried by the SS7 network conform to the ISDN User Part 
(ISUP) protocol. 

24 

The present example is concerned with the setting-up and 
control of a voice communication channel between the 
telephone network subscriber terminal l and a remote 

28 terminal (not shown in Figure 1) coupled to the Internet 
3. The remote terminal may be for example a mult i -media 
PC connected via a modem and a local access network to 
the Internet 3, or it may be a telephone network 

32 subscriber telephone similar to the telephone l. in 
either case, voice data is communicated between the two 
terminals/telephones over the Internet 3. 

36 A number of ISPs 4 are each allocated a large number of 
circuit switched channels by the access exchange 2, and 
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each of these channels has an identification number 
(CIC) unique to the exchange 2. In order to access the 
Internet, it is necessary to establish a connection over 
4 one of the allocated channels between the subscriber 
telephone 1 and an Internet interface device 5 (via the 
access exchange 2) provided by one of the ISPs 4. 

8 The interface device 5 is known in the art as a "Media 
Gateway" and is arranged to convert voice information 
received from the telephone 1 into a form suitable for 
transmission over the Internet (involving for example 

12 transcoding, formatting, etc) and to perform the reverse 
transformation for data received over the Internet and 
destined for the telephone 1. It is noted that the 
Media Gateway 5 may communicate with a remote Media 

16 Gateway, or with a remote IP terminal, using the ITU 
multi -media protocol H.323 although this will not be 
considered here in further detail, 

20 Each ISP 4 has a "Media Controller" 6 which is analogous 
to a conventional telecommunications network switch, 
i.e; it is responsible for the general management of 
Media Gateway resources and in particular for allocating 

24 Media Gateways to subscribers (or rather to circuits 
originating at the access exchange 2) . 

The Media Controller 6 is arranged to exchange 
28 signalling information with a signalling gateway 7, 
referred to hereinafter as an SS7/IP gateway, which is 
under the control of the telecommunications network 
operator and can thus be considered secure from the 
32 point of view of the operator. The SS7/IP gateway 7 is 
connected to the SS7 network and as such is typically 
allocated a unique Point Code within the visibility area 
of the SS7 network, which Code provides a destination 
36 (and source) address for messages within the network. 
The physical connection between the Media Controllers 6 
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and the SS7/IP gateway 7 is provided by an IP network 
which may be the Internet but which is more probably an 
intranet having no public access. 

4 

Figure 2 illustrates the communication protocol layers 
implemented at the SS7/IP gateway 7 in order to allow 
ISUP messages carried by the SS7 signalling network to 
8 be relayed over the IP network to the Media Controllers 
6, and vice versa. ISUP messages received at the SS7/IP 

gateway 7 from the access exchange 2 over the SS7 
network are processed through a Message Transfer Part 

12 (MTP) layer 8 (see "Understanding Telecommunications", 
vols. 1 & 2, Student litteratur, Lund, Sweden (ISBN 91- 
44-00214-9)) before being passed to a processing arid 
control part 9. Messages are relayed through this part 

16 9 before being processed by a TCP/IP part 10 to provide 
IP datagrams suitable for transmission over the IP 
network to the Media Controllers 6 . Messages received 
at^ the SS7/IP gateway 7 over the IP network are 

20 processed in the reverse direction, with the processing 
and control part 9 performing an additional message 
authentication operation as will now be described. 

24 For the purpose of routing datagrams over the IP network 
between the SS7/gateway 7 and the Media Controllers 6 of 
the various ISPs 4, each Media Controller 6 is allocated, 
an IP address (unique in that IP network) . The IP 

28 address allocated to a Media Controller 6 is 
incorporated into, all datagrams sent by that controller 

6 to the SS7/IP gateway 7 and enables the SS7/IP gateway 

7 to confirm the source of a received packet. 

32 

When a signalling message is received by the SS7/IP 
gateway 7, the processing and control part 9 identifies 
the IP address associated with the message. The gateway 
36 7 maintains a record of the IP addresses allocated to 
the various Media Controllers 6 as well as a record of 
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the circuits (CICs) allocated to each ISP. Each 
signalling message contains in its header part the CIC 
to which the message relates. The processing and 

4 control part 9 confirms that the originating ISP 4, 
identified from the source IP address, is allocated the 
CIC to which the signalling message relates. If the 
result is positive, the message is passed to the MTP 8 

8 for relaying to the access exchange 2. If the result is 
negative, i.e. the signalling message relates to a CIC 
not allocated to the originating ISP 4, then the message 
is not relayed further and is discarded. In this event, 
12 an error message may be returned to the originating ISP 
4 and also possibly to the access exchange 2. 

Figure 3 is a flow chart illustrating the message 
16 authentication, and relay steps performed at the SS7/IP 
gateway 7 upon receipt of a signalling message from an 
ISP 4. 

20 It will be appreciated that modifications may be made to 
the above described embodiment without departing from 
the scope of the present invention. For example, each 
Media Controller 6 may be allocated a Point Code in the 

24 SS7 network of the telecommunications network. Thus, a 
Media Controller 6 may be made the destination node for 
an SS7 message rather than the SS7/IP gateway (although 
signalling messages are still routed through the SS7/IP 

28 gateway) . As the Point Code is included in the header 
of an ISUP message, the SS7/IP gateway 7 may authorise a 
received signalling message by matching the Point code 
included in the message header with the source IP 

32 address. 

Whilst the embodiment described above includes only a 
single exchange 2 to which the subscriber telephone 1, 
36 the SS7/IP gateway 7, and the ISPs 4 are all directly 
connected, it will be appreciated that this need not be 
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the case. Indeed, a more likely scenario involves a 
number of transit exchanges through which signalling 
data and circuit switched channels are routed. It will 
4 also be appreciated that the present invention is not 
limited to voice communications and is also applicable 
to general data communications. 

8 The above description has also been concerned with the 
use of ISPs to connect subscribers to the Internet. The 
present invention may also be employed in connection 
with ISPs which connect subscribers to one or more 

12 closed intranets. 
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Claims 

1. A method of transferring signalling messages 
between an Internet Service Provider (ISP) and an 
5 exchange of a telecommunications network for the purpose 
of allocating and controlling circuit switched 
communication channels between the exchange and the ISP f 
the method comprising: 

routing said signalling messages via a signalling 

10 gateway which provides for conversion of messages 
between a first transmission protocol used in the 
telecommunications network and a second transmission 
protocol used in the network which connects the 
signalling gateway to the ISP; and 

15 for each message received at the signalling gateway 

from the ISP, confirming the right of that ISP to 
control a circuit switched communication channel 
identified in the message. 

20 2. A method according to claim 1 and comprising 
maintaining a record at the signalling gateway of the 
circuit switched communication channels allocated to 
each ISP coupled to the signalling gateway, 

25 3. A method according to claim 1 or 2, wherein the 
telecommunication network comprises a Signalling System 
No. 7 (SS7) based signalling network which is interfaced 
to the ISP via the signalling gateway, 

30 4 . A method according to any one of the preceding 
claims, wherein the network coupling the signalling 
gateway to the ISP is an IP based network. 

5. A method according to claim 4 when appended to 
35 claim 3, wherein the signalling gateway provides a 
conversion between at least the Message Transfer Part 
protocols of the SS7 network and the IP based protocols 
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enabling ISUP messages to be transferred, transparently, 
between the exchange and the ISP. 

6. A method according to claim 4 or 5, wherein the ISP 
5 from which a signalling message originates is identified 
at the signalling gateway by virtue of the source IP 
address associated with the IP datagram in which the 
message is delivered to the gateway. 

* 10 7. A method according to claim 3 or to any one of 
claims 4 to 6 when appended to claim 3, wherein each of 
the ISPs connected to a given signalling gateway is 
allocated a unique Point Code in the signalling network 
of the telecommunications network, Point Codes being 

15 included in the header of a signalling message to 
indicate the destination and source of the message, and 
the signalling gateway screens messages received from an 
ISP to confirm that the source Point Codes contained 
therein correspond to the actual ISPs from which they 

20 originated. 

8 ♦ A method according to claim 3 or to any one of 
claims 4 to 6 when appended to claim 3, wherein the ISP 
from which a signalling message originates is identified 
25 by virtue of the input port/device of the signalling 
gateway at which the message arrives. 

9. Apparatus for transferring signalling messages 
between an Internet Service Provider (ISP) and an 

30 exchange of a telecommunications network for the purpose 
of allocating and controlling circuit switched 
communication channels between the exchange and the ISP, 
the apparatus comprising a signalling gateway coupled 
between a signalling network of a telecommunications 

35 network and a network connected to an Internet Service 
Provider (ISP) and arranged to: 
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convert messages between a first transmission 
protocol used in the telecommunications network and a 
second transmission protocol used in the network which 
connects the signalling gateway to the ISP; and 
5 for each message received at the signalling gateway 

from the ISP, to confirm the right of that ISP to 
control a circuit switched communication channel 
identified in the message. 
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